Application Layer Security Protocols By: Mudassar Hayee Jasbir Singh “This report was prepared for Professor L. Orozco-Barbosa in partial fulfillment of the requirements for the course ELG/CEG 4183” SITE University of Ottawa
Topics That Will Be Discussed • Security over the internet • Introduction (chapter 7 of this course) • Firewalls • Authentication and key distribution systems • Keberos • SESAME • Security enhanced application protocols • Electronic Mail • S/MIME • Remote Terminal Access • TELNET
Security Over the Internet (Introduction) • Why do we need security? • Packet sniffing • IP Spoofing • Denial of Service (DOS) • We desire security to address these main concerns: • Secrecy (encryption) • Authentication (confirm identity) • Message integrity
Security Over the Internet (Introduction) • Techniques used: • Network layer security • Cryptography • Public key encryption • Digital signatures • Trusted intermediaries • Application layer security • Firewalls • Top 3 myths about firewalls • Protocols • Electronic mail • PGP – discussed in class! • S/MIME • Remote communication • Telnet • WWW transactions (HTTP) • Discussed in class!
Application Layer Firewalls • A firewall is an intermediate system that can be placed between two networks to protect one from the other. • A firewall is a host running proxy servers, which control the network access.
Authentication and Key Distribution Systems Authentication is a problem that can be tackled by providing a password to access the resource. A key distribution system to authenticate a system (ie. public key encryption) makes it very secure.
Kerberos • Is a protocol that provides authentication and authorization. • It uses a symmetric key which is based on the password the client entered.
How Kerberos Works: • Client(C) wants to connect to application server(V). • 1. Client sends his name and name of TGS server to AS. • 2. AS replies with a TGT that is encrypted with a key based on the client’s password. If the client types in the correct password, the client will be able to decipher the message and obtain TGT.
How Kerberos Works(cont’d): • 3. The client sends the TGT to the TGS. The TGT contains encrypted identification and time stamp information by a key that is shared between the AS and the TGS. • 4. Once the AS has been verified by the TGS, the TGS gives access to the application server.
How Kerberos Works(cont’d): • 5. The client sends the message to the application server(V). The client encrypts the message with a public key. • 6. This is an optional message when the user requires authentication by the verifier.
SESAME • Was developed because many companies were either not protecting themselves or buying an insurance policy. • Objective was to define and implement protocols for authentication, access control, data confidentiality, and data integrity. • An extension to Kerberos
SESAME on-line Authorities • AS: authenticates the user. • PAS: returns the appropriate certificate for the user. • KDS: is used to generate the keys to talk with the application.
How SESAME works: • The client sends authenticator message to AS. The AS uses the public key that was obtained from PAS. Once the digital signature has been verified on the authenticator, the client has been authenticated to the system. • The AS will now sends the client’s public key encrypted by a session key generated by AS. AS will also send an authenticator digitally signed with it’s private key.
How SESAME works(cont’d): • The client will now verify this authenticator with AS’s public key that was obtained from AS’s certificate. • If it has been verified, the AS has been authenticated to the client.
Security Enhanced Application Protocols • At the application layer, security services must be defined, implemented and incorporated into each application individually. • ie. the application developer needs to address the issue of security.
Electronic Mail • The US Postal service (USPS) recently announced their PosteCS service. In the future they promise full support for digital signatures and encryption through public/private key digital certificate technology. • Other approaches to electronic mail security include secure MIME (S/MIME), and SMTP-based security. • S/MIME = secure multi-purpose internet mail extension.
Why S/MIME? • It claims to provide the highest level of protection against intrusions, message-content tampering, spoofing, and unwanted viewing of message content.
How S/MIME Works? • It uses public and private key pairs maintained for users involved in the secure communication. • A sender can add a digital signature (to assure the recipient that the message is authentic) or encrypt the message (to protect the content from unwanted viewing or tampering) using X.509v3 certificates. • Certificate validation steps occur when client sends or opens a secure message: certificate revocation checking, timestamp checking, digital signature validation.
How S/MIME Works? • Outlook 2000 and Outlook Express 5.0 support certificate revocation list (CRL ) distribution points (CDPs) which can provide automated certificate revocation checking. CDPs are defined by the ITU-T as part of the X.509 standard. • Certificate life time needs to be validated by client as well because certificates have limited lifespans. • to check digital signatures, use a trusted CA certificate's public key to check for integrity and authenticity. • the certificate must be on a certificate trust list (CTL) that resides with the client. • if the certificate’s ID differs from the sender's SMTP address, an error message notifies the client. This protects the client against impersonation and "man-in-the-middle" attacks.
Limitations - when somebody digitally signs a message, it adds a copy of his/her public key to it…..and somebody could extract the key from the message, posing a potential security threat. - to prevent this, encryption is also necessary to protect the key itself, but difficult to implement
Remote Terminal Access - TELNET • Telnet has long been a standard Internet protocol ; however, a standard way of ensuring privacy and integrity of Telnet sessions has been lacking. Traditional Telnet severs operate without presentation of authorization credentials (due to historical reasons). Currently, a TLS-based Telnet Security Internet-draft (IETF) exists which addresses Telnet security and proposes a standard method for Telnet servers and clients to use the TLS security protocol. It describes how the participants decide whether or not to attempt TLS negotiation, and how to process authentication credentials as part of the TLS start-up. • This 5th version paper expires April 2001.
Telnet Authentication and Authorization • Authentication of the server by the client: • PKI-based authentication via TLS handshake • Non-PKI based authentication via TLS handshake • Authentication by Telnet AUTH option (RFC 2941) • Authentication of the client by the server: • PKI-based authentication via TLS handshake • Non-PKI based authentication via TLS handshake • Authentication by Telnet AUTH option (RFC 2941) • Traditional Username and Password
Telnet Authentication and Authorization(cont’d) • For client-server authentication of anonymous connections • Both the client’s and the server’s TLS finished messages must be verified according to their content. Example: Authentication via Kerberos 4 after TLS negotiation
References Angerbauer, Ralf. Internet Mail Security. Presentation for ECE575 – Data Security and Cryptography. Spring 1998. http://www.security.ece.orst.edu/koc/ece575/98Project/Angerbauer/sld001.htm Ashley, Paul. SESAME. August 20, 1998. http://www.isrc.qut.edu.au/sesame/index.html Boe, Michael and Altman, Jeffrey. TLS-based Telnet Security. IETF Internet-Draft. The Internet Society, October 24th, 2000. http://www.ietf.org/internet-drafts/draft-ietf-tn3270e-telnet-tls-05.txt Chochran, Jerry. Secure Messaging Solutions for Exchange. Exchange & Outlook Update: Windows2000 Magazine. January 31st, 2001. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=19815&Key=Secure%20MIME%20%28S%2FMIME%29
References(cont’d) Clercq, Jan De. Certificate Validation. Windows2000 Magazine. June 1st, 2000. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=8335&Key=Secure%20MIME%20%28S%2FMIME%29 Curtin, Matt and Ranum, Marcus J. Internet Firewalls: Frequently Asked Questions. December 1st, 2000. http://www.interhack.net/pubs/fwfaq/ Oppliger, Rolf. Securing the Internet. INET'99: The International Global Summit. McEnery Convention Centre, San Jose, California, United States. June 22-25, 1999. http://www.ifi.unizh.ch/~oppliger/Docs/PowerPoint/INET_99/sld001.htm Vijayan, Jaikumar. Microsoft issues new security patch for Win2k telnet security hole. ComputerWorld, September 22, 2000. http://www.computerworld.com/cwi/story/0,1199,NAV47_STO51149,00.html
References (cont’d) Vanderwauver, Mark and Govaerts, Rene and Vanderwalle, Joos. Overview of Authentication Protocols. http://www.esat.kuleuven.ac.be/cosic/sesame/papers/carnahan.pdf